In looking at Cert's security vulnerabilities summary for 2005 last week I pointed out that they have a tendency to be remarkably over enthusiastic when counting Unix and related applications vulnerabilities. This looks like systematic anti-Unix, pro-Microsoft, bias at work in a U.S. government agency. Today I'd like to look at the other side of the coin: are they equally enthused over Microsoft's vulnerabilities?

There is some surface comparability. For example, both the Unix and Windows lists focus mostly on applications and both lists contain duplicates, about 18% for Windows and 62% for Unix.

On the other hand a quick review of the Microsoft side suggests that there are three main problems with that list:

Microsoft and other Windows related vulnerabilities are generally categorized in terms of a generic "Windows operating system" that equates Windows 98 to Microsoft's 64bit XP Advanced server 2003 for Itanium and subsumes everything in between;

The vulnerability descriptions in the CERT bulletin tend to be weaker and less inclusive with respect to risk, applicability, and the existence of demonstration code than the underlying CVEs; and,

Microsoft's patch bulletins seem to show more vulnerabilities and updates than CERT does in reports linked to those bulletins.

For example, if you search Mitre's CVE database for Windows 98 vulnerabilities discovered during 2005 you get four listings of which the first is:

CVE-2005-1208

Integer overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer.

Notice the differences in terminology and emphasis: The CVE says "allows", CERT says "could allow"; the CVE lists four affected operating systems and includes their predecessor releases, CERT omits all mention of any Windows OSes, limits the impact to users of the MS HTML help facility, and elides the reality that this means virtually every IE user.

A remote code execution vulnerability has been reported in HTML Help that could allow a malicious user to take complete control of the affected system.

[Affecting]Windows 2000, XP, Server 2003 98, 98 (SE), and ME

Currently we are not aware of any exploits for this vulnerability.

But the source CVE explicitly mentioned a demonstration attack.

Go back another step, to Microsoft's own bulletin on this and you get the "could allow" phraseology back along with the information that this is actually the fourth variant or update (see MS03-044, MS04-023, and MS05-001); that the vulnerability requires only that the user access an attack oriented website via IE; and that a much longer list of software is affected:

In total, therefore, there are at least five updates, ultimately covering eight Microsoft Windows application products, affecting nine major OS variants - all counted as one in the CERT annual summary.

Notice that the CVE cites NT 4.0; mentions demonstration code, replaces a "could let" with "allows", and offers a more general view of the vulnerability.

I haven't reviewed very many of CERT's Windows listings, but this seems to be a general thing: with CERT's summary assessments of Microsoft related vulnerabilities being soft pedaled relative to the underlying CVE or Microsoft's own bulletins - and CERT's summaries showing fewer affected OS releases or products, fewer mentions of exploits or demonstration code, fewer mentions of previous patches that failed to completely fix the problem, and fewer mentions of patch or report updates.

As I said last week, CERT's excuse for its over reporting of claimed Unix vulnerabilities is that it merely counts claims and doesn't pretend to judge the validity of those claims. According to this argument, misleading news reports like this one by O'Reilly's Preston Gralla are the result of reportorial laziness or incompetence, and therefore not a predictable consequence of the way CERT selects and publishes its summary information.

"Windows Has Fewer Security Holes than Linux" (Jan. 11, 2006)

The conventional wisdom holds that Windows is a security sieve, while Linux is locked down tight. Then why does Linux have three times the number of security holes as Windows?

A 2005 year-end vulnerability summary by US-CERT (United Stated Computer Emergency Readiness Team) concludes that Linux/Unix accounted for an eye-opening 2,328 vulnerabilities, about 45 percent of the total of 5,198 vulnerabilities for the year.

Windows, by way of contrast, had only 812 vulnerabilities during the year, 16 percent of the total.

...

I believe, however, that CERT's defense is Clintonesque in its evasiveness, and that Mr. Gralla should feel embarrassed by his source rather his actions -he did nothing wrong in correctly reporting what CERT said and, in fact, added a warning a bit later in his article that not all vulnerabilities should be considered equal.

Nevertheless CERT's "Caveat Emptor" argument might have formed the basis for a workable defence if CERT had applied the same approach to both sides of the list. But that's not what they did: instead, any they seem to have uncritically accepted almost any vulnerability claim that could be counted against Unix while sanitizing and "down threating" at least some Windows vulnerabilities, failing to count at least some updates expanding the scope of the vulnerability, and silently dropping at least some mentions of exploit or demonstration code.

The bottom line is simple: this looks like systematic anti-Unix, pro-Microsoft, bias at work in a U.S. federal government agency charged with honestly informing the public about OS and related cyber security risks -a job they're not doing.

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.